Package: cryptsetup Version: 2:1.1.0~rc2-1 Severity: wishlist Tags: patch Hi Jonas.
Finally, the scripts to support OpenPGP encrypted keys within cryptsetup are finished. Attached you'll find a key-script, a hook-script for initramfs-tools, and an extensive documentation. Apart from supporting more OpenPGP implementations (currently only GnuPG as you've wished) I consider the scripts to be in a rather final and "perfect" state (of course except possible bugs, typos and newer features). I know you dislike many checks and complicated features but I truly think that everything that's done right now has to be done. Removing parts (e.g. the base64 encoding, caching of the read and the decrypted key) would remove features (e.g. support for non-ascii-armored keys / different commands for reading like cat/passdev / the guarantee that only a correctly decrypted key is written to stdout ... respectively). As you see, I've retained the name "decrypt_openpgp" for the key-script (instead of decrypt_gpg). I think it's more correct like this. gpg is "just" an implementation,.. and it's not gpg what's decrypted, but an OpenPGP Message. But I've chosen the name of the hook-script to fit your current scheme. I'd suggest to remove the current decrypt_gpg as decrypt_openpgp provides everything of it plus more. For the scripts to work, Debian bug #557329 has to be resolved and as a personal wish, please also take a quick look at #557405. Both should be easy to fix. As you can see from the documentation, I use ":" as a separator for options in crypttab. I think it should be possible to change this to "," which is already used for the last field. This would be a cosmetic improvement but I think it would have also some draw backs. Perhaps we can discuss this off list. Looking forward to hear your comments and see the scripts included in the cryptsetup package, Christoph.
CryptsetupOpenPGPScripts.tar.bz2
Description: application/bzip-compressed-tar
smime.p7s
Description: S/MIME cryptographic signature
